I have lost the superadmin password. What to do ?
Article ID: 125716
Updated On:
Products
CA Virtual Privilege Manager
CA Privileged Identity Management Endpoint (PIM)
CA Privileged Access Manager (PAM)
Issue/Introduction
The superadmin user in PIM is used to access the ENTM environment and therefore, losing its password may render the management GUI unusable unless other users are provisioned with similar privileges.
Can I reset or change the password of the superadmin account if I lost it after installation ?
Can I reset or change the password of the superadmin account if I lost it after installation ?
Environment
CA PIM 12.X, 14.X and CA PAM SC 14.X ENTM on Windows
A very similar procedure applies to UNIX
A very similar procedure applies to UNIX
Resolution
The superadmin password is encrypted and may not be retrieved in clear text, so the only thing we can do is to encrypt it again using a tool called pwdTools
C:\Program Files\CA\AccessControlServer\IAM Suite\Access Control\tools\PasswordTool\PwdTools.bat
You may need to edit it to set the JAVA_HOME environment
The command:
PwdTools.bat -FIPS -p password -k
"C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\config\com\netegrity\config\keys\FIPSkey.dat"
will encrypt the phrase 'password' using your JBoss FIPS key. For example:
Plain Text: password
Encrypted value: {AES}:4zERcmCrsLJtiuDaiygdmA==
This is will only encrypt the new password to text. It then needs to be replaced in the Database that you are using as a user store.
The procedure will then depend on whether this is Active Directory (AD) or SQL.
If the user store is in SQL there is a table called tblusers which contains the information of the users
First look at the existing passphrase to compare:
SQL> select password from tblusers where loginid='superadmin';
PASSWORD
--------------------------------------------------
{AES}:JIZqLtFyvf6at0VM3nVjdg==
Assuming you know the password for superadmin, running this command should yield a result which should be the same as the encrypted password obtained following the procedure above. For instance if the superadmin password were 'password' then both the query result and the PwdTools.bat result should be {AES}:4zERcmCrsLJtiuDaiygdmA==
If both results are different, it means that the superadmin password stored is different from the one that we want to set and so we would update the database to use the new encrypted passphrase:
SQL> update tblusers set password='{AES}:4zERcmCrsLJtiuDaiygdmA==' where loginid='superadmin';
SQL> commit;
If AD is used as a user store, you can export ac-dir.xml through the Identity Manager management console page, idmmanage and then you can replace the encrypted password in this xml with the password encrypted with PwdTools.bat as explained above. Then you import ac-dir.xml again into PIM.
Note that the Identity Manager page is not enabled by default. If you need to access it you need to follow this procedure
https://docops.ca.com/ca-privileged-identity-manager/12-9-01/EN/implementing/using-the-ca-identity-manager-management-console/enable-the-ca-identity-manager-management-console
After following it, idmmanage is accessible as
http://<pim_server>:18080/idmmanage or https://<pim_server>:18443/idmmanage
depending on whether you are using ssl or not.
There you can export the ac-dir.xml if you need to follow the procedure above
C:\Program Files\CA\AccessControlServer\IAM Suite\Access Control\tools\PasswordTool\PwdTools.bat
You may need to edit it to set the JAVA_HOME environment
The command:
PwdTools.bat -FIPS -p password -k
"C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\config\com\netegrity\config\keys\FIPSkey.dat"
will encrypt the phrase 'password' using your JBoss FIPS key. For example:
Plain Text: password
Encrypted value: {AES}:4zERcmCrsLJtiuDaiygdmA==
This is will only encrypt the new password to text. It then needs to be replaced in the Database that you are using as a user store.
The procedure will then depend on whether this is Active Directory (AD) or SQL.
If the user store is in SQL there is a table called tblusers which contains the information of the users
First look at the existing passphrase to compare:
SQL> select password from tblusers where loginid='superadmin';
PASSWORD
--------------------------------------------------
{AES}:JIZqLtFyvf6at0VM3nVjdg==
Assuming you know the password for superadmin, running this command should yield a result which should be the same as the encrypted password obtained following the procedure above. For instance if the superadmin password were 'password' then both the query result and the PwdTools.bat result should be {AES}:4zERcmCrsLJtiuDaiygdmA==
If both results are different, it means that the superadmin password stored is different from the one that we want to set and so we would update the database to use the new encrypted passphrase:
SQL> update tblusers set password='{AES}:4zERcmCrsLJtiuDaiygdmA==' where loginid='superadmin';
SQL> commit;
If AD is used as a user store, you can export ac-dir.xml through the Identity Manager management console page, idmmanage and then you can replace the encrypted password in this xml with the password encrypted with PwdTools.bat as explained above. Then you import ac-dir.xml again into PIM.
Note that the Identity Manager page is not enabled by default. If you need to access it you need to follow this procedure
https://docops.ca.com/ca-privileged-identity-manager/12-9-01/EN/implementing/using-the-ca-identity-manager-management-console/enable-the-ca-identity-manager-management-console
After following it, idmmanage is accessible as
http://<pim_server>:18080/idmmanage or https://<pim_server>:18443/idmmanage
depending on whether you are using ssl or not.
There you can export the ac-dir.xml if you need to follow the procedure above
Feedback
Yes
No
Powered by
